More Articles

The Dispatch E-Edition

All current subscribers have full access to Digital D, which includes the E-Edition and
unlimited premium content on Dispatch.com, BuckeyeXtra.com, BlueJacketsXtra.com and
DispatchPolitics.com.
Subscribe
today!

Enlarge ImageRequest to buy this photoJonathan Quilter | Dispatch file photoHuntington Bancshares employees walk laps around their office building on Morse Road in 2012 as part of the company’s wellness program.

It’s Ohio’s first hacking-related health-care data breach involving the unsecured personal
information of at least 500 people, according to a federal database.

The data breach occurred on March 25 but was publicly disclosed this week in a database kept by
the U.S. Department of Health and Human Services. Huntington said about half of those affected are
in central Ohio.

StayWell Health Management, which ran Columbus-based Huntington’s wellness program, said it was
told in June of the breach by one of its former vendors, Onsite Health Diagnostics. That vendor
stored the information in an online scheduling application for health screenings.

Health, financial and Social Security data were secure, but hackers accessed current and former
workers’ names, user names, email addresses, mailing addresses, phone numbers, gender and dates of
birth.

StayWell, which said it does not know the hacker’s identity or location, notified Huntington’s
wellness program participants of the breach on July 28.

At least two other StayWell clients also were affected by the hackers that hit Huntington:
Dominion Resources in Virginia (1,700 people affected) and Motorola Mobility in Illinois (940
affected).

The breach isn’t StayWell’s first. Nearly 18,600 people associated with Missouri Consolidated
Health Care Plan, the Clorox Company Group Insurance Plan in California, the University of
Minnesota, Nissan North America and Qbe Holdings were affected by unauthorized access to network
servers — a breach that began in the spring of 2012 but was not discovered until January this
year.

Huntington spokesman Brent Wilder said StayWell no longer is a vendor for the bank. He said
Huntington has made a year of free credit monitoring available to those who were affected, and he
said Huntington “is unaware of any compromises related to the incident.”

News of the data breach at Huntington comes after a Chinese cyberattack on Franklin, Tenn.-based
Community Health Systems’ computer network, which affected an estimated 4.5 million current and
former patients.

The data accessed in April and June at CHS included patient names, addresses, birthdates,
telephone numbers and Social Security numbers, but not patient credit-card, medical or clinical
information, though the hospital system said the intruder in many cases has tried to obtain
valuable intellectual property, such as medical-device and equipment-development data.

CHS published a notice of the breach in
The Dispatch on Monday. It has no affiliated hospitals or practices in Columbus. But the
company provides management, consulting and information technology services to four affiliated
hospitals in Massillon, Youngstown and Warren in northeastern Ohio.

Officials at both CHS and StayWell declined interview requests.

Health-care providers have made strides in going digital with their health records as they seek
to catch up with other industries, said John DiMaggio, CEO of Blue Orange Compliance in Dublin,
which works on information security with health-care providers. (Community Health Systems is not
one of its clients.)

But health-care providers remain a popular target for hackers, and Blue Orange said on its
website that health-care data breaches are increasing more quickly than in any other industry
segment.

Still, consumers should feel comfortable with going to a doctor’s office or hospital because the
risk of a breach remains low, DiMaggio said.

Data encryption is vital in deterring such breaches, said Dan Paoletti, CEO of the Ohio Health
Information Partnership. For example, the passwords of participants in Huntington’s wellness
programs were encrypted, making the passwords unusable despite the fact that they were accessed,
according to StayWell.

By law, hospitals and other health-care providers must conduct risk assessments to identify any
vulnerability to hackers, which routinely probe hospitals’ computer networks in search of
weaknesses, said Sean McGlone, chief legal counsel for the Ohio Hospital Association.

The hackers’ sophisticated approaches are constantly evolving, and McGlone compared it to sports
officials trying to keep up with those who peddle performance-enhancing drugs. “It’s analogous to
chasing the dopers,” he said.

But most breaches involving health care are more low-tech — the loss or theft of a laptop, for
example, or hospital workers accessing the medical records of a patient without a valid reason for
doing so, McGlone said.

Of 29 data breaches in Ohio that involved the unsecured health information of at least 500
people, 10 involved the loss or theft of a laptop or desktop computer.